I don't see the point. If you don't want people to see the path, don't allow traceroute in (or stop it after the first NAT). If you do, what do you care if the layers of NAT can be enumerated. If anything even remotely useful to an attacker can be done to your network because someone knows how many layers of NAT you have, you have a lot bigger problems than showing that in a traceroute.
pf scrub does have a min-ttl option but it's not one that's exposed anywhere in the GUI and would require changing the source to use. Not something I've ever seen a real need to use. On Thu, Jul 10, 2014 at 4:51 PM, Blake Cornell < [email protected]> wrote: > I would put it on a report as an issue.. further more... .... no > comment.... > > -- > Blake Cornell > CTO, Integris Security LLC > 501 Franklin Ave, Suite 200 > Garden City, NY 11530 USAhttp://www.integrissecurity.com/ > O: +1(516)750-0478 > M: +1(516)900-2193 > PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 > Free Tools: https://www.integrissecurity.com/SecurityTools > Follow us on Twitter: @integrissec > > On 07/10/2014 05:29 PM, Walter Parker wrote: > > I disagree that this is a vulnerability/weakness. If this is truly your > only issue with the network, I'd call it good and done if you are not the > DOD/NSA. > > If you are, then you need to start again with an even more secure > foundation. > > > Walter > > > On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell < > [email protected]> wrote: > >> There is a reason for it. It works well except for this ONE issue. >> >> I like setting up 0 vulnerability/weakness networks. This is the only >> one minus presentation/application issues. >> >> Thank you both for your input. I'll touch base when I determine a >> resolution strategy. >> >> -- >> Blake Cornell >> CTO, Integris Security LLC >> 501 Franklin Ave, Suite 200 >> Garden City, NY 11530 USA >> http://www.integrissecurity.com/ >> O: +1(516)750-0478 >> M: +1(516)900-2193 >> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 >> Free Tools: https://www.integrissecurity.com/SecurityTools >> Follow us on Twitter: @integrissec >> >> On 07/10/2014 01:49 PM, James Bensley wrote: >> > Further to what Walter has said - Double NAT....Boooooooo! >> > _______________________________________________ >> > List mailing list >> > [email protected] >> > https://lists.pfsense.org/mailman/listinfo/list >> >> _______________________________________________ >> List mailing list >> [email protected] >> https://lists.pfsense.org/mailman/listinfo/list >> > > > > -- > The greatest dangers to liberty lurk in insidious encroachment by men of > zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis > > > _______________________________________________ > List mailing > [email protected]https://lists.pfsense.org/mailman/listinfo/list > > > > _______________________________________________ > List mailing list > [email protected] > https://lists.pfsense.org/mailman/listinfo/list >
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
